Security in the Ether

Security in the Ether

be used to its full potential, new and troubling issues may arise. For one thing, even clouds that are safe from ordinary hackers could become central points of Internet control, warns Jonathan Zittrain, the cofounder of Harvard’s Berkman Center for Internet and Society and the author of The Future of the Internet–and How to Stop It. Regulators, courts, or overreaching government officials might see them as convenient places to regulate and censor, he says.

What’s more, cloud providers themselves could crack down on clients if, say, copyright holders apply pressure to stop the use of file-sharing software. “For me,” Zittrain says, “the biggest issue in cloud security is not the Sidekick situation where Microsoft loses your data.” More worrisome to him are “the increased ability for the government to get your stuff, and fewer constitutional protections against it; the increased ability for government to censor; and increased ability for a vendor or government to control innovation and squash truly disruptive things.”

Zittrain also fears that if clouds dominate our use of IT, they may turn into the kinds of “walled gardens” that characterized the Internet in the mid-1990s, when companies such as Compuserve, Prodigy, and AOL provided limited menus of online novelties such as news, e-commerce, and e-mail to the hoi polloi. Once people pick a cloud and applications they like, he says–Google Apps, for example–they may find they have limited access to great apps in other clouds, much as Facebook users can’t network with people on MySpace.

But such concerns aren’t stopping the ascendance of the cloud. And if cloud security is achieved, the benefits could be staggering. “There is a horrendous amount of computing and database management where cloud computing is clearly relevant,” says Harvard’s Dale Jorgenson. Imagine if today’s emerging online repositories for personal health data, such as Google Health and Microsoft HealthVault, could link up with the growing number of electronic records systems at hospitals in a way that keeps private data protected at all times. The resulting medical megacloud could spread existing applications cheaply and efficiently to all corners of the medical profession. Doctors could easily compare patients’ MRI scans, for example, with those of other patients around the country, and delve into vast databases to analyze the efficacy of treatments and prevention measures (see “Prescription: Networking,” November/December 2009). “The potential there is enormous, because there are a couple of transformations that may occur in medicine in the near future from vast collections of medical records,” says Ian Foster, a computer scientist who leads the Computation Institute at Argonne National Laboratory and the University of Chicago. Today, he points out, individuals are demanding access to their own medical information while medical institutions seek new sources of genomic and other data. “The two of those, together, can be powered by large-scalesharing of information,” he says. “And maybe you can do it in the cloud. But it has particularly challenging security problems.”

This isn’t the first time a new information technology has offered profound benefits while raising potentially intolerable security risks. The advent of radio posed similar issues a century ago, says Whitfield Diffie, one of the pioneers of public-key cryptography, who is now a visiting professor at Royal Holloway College at the University of London. Radio was so much more flexible and powerful than what it replaced–the telegraph–that you had to adopt it to survive in business or war. The catch was that radio can be picked up by anyone. In radio’s case, fast, automated encryption and decryption technologies replaced slow human encoders, making it secure enough to realize its promise. Clouds will experience a similar evolution. “Clouds are systems,” says NIST’s Peter Mell. “And with systems, you have to think hard and know how to deal with issues in that environment. The scale is so much bigger, and you don’t have the physical control. But we think people should be optimistic about what we can do here. If we are clever about deploying cloud computing with a clear-eyed notion of what the risk models are, maybe we can actually save the economy through technology.”